BlackBerry outlines Heartbleed updates as threat scrutinized

Reuters, BOSTON

Tue, Apr 15, 2014 - Page 15

BlackBerry Ltd said it plans to release security updates for messaging software for Android and iOS devices by Friday to address vulnerabilities in programs related to the Heartbleed security threat.

Researchers last week warned they uncovered Heartbleed, a bug within the OpenSSL software commonly used to keep data secure, potentially allowing hackers to steal massive troves of information without leaving a trace.

Security experts initially told companies to focus on securing vulnerable Web sites, but have since warned about threats to technology used in data centers and on mobile devices running Google Inc’s Android software and Apple Inc’s iOS software.

Scott Totzke, BlackBerry senior vice president, told reporters on Sunday that while the bulk of BlackBerry products do not use the vulnerable software, the company does need to update two widely used products: Secure Work Space corporate e-mail and BBM messaging program for Android and iOS.

He said they are vulnerable to attacks by hackers if they gain access to those apps through either Wi-Fi connections or carrier networks.

Still, “the level of risk here is extremely small,” because BlackBerry’s security technology would make it difficult for a hacker to succeed in gaining data through an attack, he said.

“It’s a very complex attack that has to be timed in a very small window,” he said, adding that it was safe to continue using those apps before an update is issued.

Google spokesman Christopher Katsaros declined to comment. Officials with Apple could not be reached.

Security experts say that other mobile apps are also likely vulnerable because they use OpenSSL code.

Michael Shaulov, chief executive of Lacoon Mobile Security, said he suspects that apps that compete with BlackBerry in an area known as mobile device management are also susceptible to attack because they, too, typically use OpenSSL code.

Companies including Cisco Systems Inc, Hewlett-Packard Co, IBM Corp, Intel Corp, Juniper Networks Inc, Oracle Corp Red Hat Inc have told customers that they may be at risk. Some firms’ updates are out, while others, like BlackBerry, are rushing to get them ready.